secure salesforce: code scanning with checkmarx
TRANSCRIPT
Secure Salesforce: Static Analysis as a Service Best Practices for using our Source Scanner
Robert Sussland SMTS Product Security [email protected]
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Safe Harbor
Robert Sussland SMTS Product Security, Salesforce
Agenda
• Service Overview
• Intro to Static Analysis
• Static Analysis as a Service
• Parsing Results
• Pain Points and Solutions
• Demo
• Special Guest
• QA
Service Overview
Static Analysis with Checkmarx Suite
Static Analysis with Checkmarx Suite
Static Analysis with Checkmarx Suite
• Look for data flows from sources to sinks
• Sources:
• URL Parameters
• sObject Values
• User Input (e.g. in a form)
• @AuraEnabled methods
• Sinks
• Unescaped HTML (e.g. aura:unescapedHtml or VF escape=“false”) //XSS
• Database.query() //SOQL injection
Static Analysis with Checkmarx Suite
• If data flows from a source to sink without passing through a sanitizer, then report a vulnerability.
• Sanitizers:
• String.escapeSingleQuote() //SOQL injection
• HTMLENCODE() //VF page
• We don’t have a full string solver, or full information about data types or context:
Static Analysis with Checkmarx Suite
• If data flows from a source to sink without passing through a sanitizer, then report a vulnerability.
• Sanitizers:
• String.escapeSingleQuote() //SOQL injection
• HTMLENCODE() //VF page
• We don’t have a full string solver, or full information about data types or context:
//vulnerable
qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “;
Static Analysis with Checkmarx Suite
• If data flows from a source to sink without passing through a sanitizer, then report a vulnerability.
• Sanitizers:
• String.escapeSingleQuote() //SOQL injection
• HTMLENCODE() //VF page
• We don’t have a full string solver, or full information about data types or context:
//vulnerable
qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + taint + “ ‘ “;
//vulnerable
qry = “SELECT Name, “ + taint + “FROM Account LIMIT 1”;
Static Analysis with Checkmarx Suite
• False Positives and False Negatives
String sanitized = String.escapeSingleQuotes(taint);
//safe
qry = “SELECT Name, Description FROM Account WHERE Id = ‘ “ + sanitized + “ ‘ “;
Database.query(qry);
//vulnerable (FN)
qry = “SELECT Name, “ + sanitized + “FROM Account LIMIT 1”;
Database.query(qry);
Static Analysis with Checkmarx Suite
• False Negatives
<a href=“{!HTMLENCODE(taint)}”>click here</a> //taint=javascript:
• Trade off between False Positives and False negatives
• Should a substring of a tainted string be tainted?
• Should the string replace of a tainted string be tainted?
• Should the concatenation of a tainted and untainted string be tainted?
• How do we know whether to HTMLENCODE, JSENCODE,URLENCODE?
How to Audit a Result Path
• Look at ends of path
• source should be a valid source
• sink should be a valid sink
• Follow from source to sink to verify that
• Escaping is appropriate for output context
• Escaping happens at the right place
• Escaping complies with your developer policies
Static Analysis as a Service
• We make access to Checkmarx static analysis available online for free
• Primary use case is Appexchange, not bespoke development
• Scan approximately 900 million lines of code per year (closing in on 1 billion lines/year)
• Average lines of code per app ~ 37,000
• Approximately 20,000 apps per year (e.g. average of 54 apps/day)
• During peak usage, we process about 200 apps per day
• Scan time is averages approximately 12.5 lines of code/second, but highly variable
• Dramatic increase in pass rates
Contract with Checkmarx
• Previous contract
• Was for license (1 server) to be used for Appexchange scans
• Strategy was to throttle based on wait times
• Current contract
• Flexible licenses, but limit quantity and types of scans
• Appexchange – 3 free scans per app
• Non-appexchange – 30K lines of code per month
Pain Points and Solutions
Pain points and solutions
• False positives/false negatives
• Recommend to purchase your own scanner to adjust the rules
• Throttling based on code too large
• Limit increased to 750,000 lines of code in the new portal
• Limit will remain 500,000 lines of code for customers that are not parters
• Throttling based on email domain/too many scans submitted
• Removed in new Portal
• No report if no issues found
• New reports
Pain points and solutions
• Issues getting reports
• Many problems with emailing large files
• Addressed in new Portal
• Knowing scan status
• Addressed in new Portal
• Wait too long
• Solution is to add more capacity
• We added 3 servers this year, plan to add 3-6 more servers next year.
• But some scans will still get stuck and need to be resubmitted
• We will still be delayed during monthly patch times (third weekend of each month)
• We will still be delayed during upgrades/service (approx. 4 times per year)
Demo
Special Guest – Igor Matlin, Checkmarx
Integrate into your SDLC and Automate security scans
Developers
Source repository
Fix suggestions
Build management
Auditor control panel
Bug tracking
SVN
TFS
TFS
Bamboo
Web Service API
CLI
CxAudit Checkmarx web client
TeamMentor
Dashboards
DAST
Integrations
Scan & Fix Your Code Security Flaws
detailed remediation
advice
where to fix (best place to fix)
vulnerable line of code
IDE integration
?
Attack vector
IDE Plugins available for
Eclipse Checkmarx© Plugin
For more information about
Checkmarx© Enterprise Grade Security Scanner please visit www.checkmarx.com/salesforce
Summary
Summary
• Understand the basics of dataflows to help detect false positives and false negatives
• Sign up for new portal! http://goo.gl/forms/OsZVkwWKR2
• Look at CX offerings for your enterprise!
Secure Salesforce at Dreamforce 2015
10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform
Visit our booth in the DevZone with any security questions
Check out the schedule and details at http://bit.ly/DF15Sec
Admin-related security questions?
Join us for coffee in the Admin Zone Security Cafe
Secure Salesforce – Thursday Afternoon
Lightning Components Best Practices Robert Sussland and Sergey Gorbaty 4:45pm in Moscone West 2007
Common Secure Coding Mistakes Rachel Black and Alejandro Raigon Munoz 5:00pm in Moscone West 2006
Secure Salesforce – Friday
Chimera: External Integration Security Tim Bach and Travis Safford 10:00am in Moscone West 2009
Thank you